We will focus on just two of these options "Allow double escaping" and "Allow unlisted file name extensions". By default all of the above options are enabled in IIS but security teams like to harden applications and so may ask for these to be disabled.

Allow double escaping:

For SharePoint do not disable the option for allow double escaping as most customers use special characters and spaces, these will cause IIS to issue an 401.11 error message. Here is a good article on this . http://support.microsoft.com/kb/942076

Allow unlisted file name extensions

Allow unlisted file name extensions is a way for IIS to essentially create a "white list" of file types that are allowed. This sounds like something easy to setup. First we need to get a list of file extensions that we have running in our environment right now. The easiest way to do this is to use Logparser against your existing IIS logs.

This will create a CSV file called extension.csv, which we can later modify to create a BAT file to use appcmd to add the file into the allowed file extensions. If you attempt to load a page that is not in the list of approved extensions you will get a 404.7 error from IIS. http://support.microsoft.com/kb/942045

The command to add the extension .ASPX to the allowed list is below, you would need to repeat this command for all extensions listed in extension.csv :

So it seems that even using logparser we won't get all the extensions. The first extension above is for JSON but with the /CheckPermission following it, we will not get the extension with our logparser query. SVC is another extension that will not get pulled up with our log parser query. After adding these two extensions, I am able to browse my SharePoint sites.

Next let's try loading SharePoint Designer and see how that works. Dang, looks like SharePoint is not installed

.

Looking at the IIS logs I don't see any 404 errors. Let's disable request filtering and take a look. Now SharePoint Designer loads. So let's look at the IIS logs again.You will see entries like below:

Looks like we need to add DLL as an allowed extension. After adding this extension and turning request filtering back on, I still can't get the site to open in Designer. Looking at the IIS logs this time I have several 404.7 errors (See Below):

Finally I can open my SharePoint Site using SharePoint Designer with request filtering turned on! As you navigate around and start to edit pages, you may find other file extensions that need to be added and you may find that some of the extensions you need are already added but are set to allowed equal false. As you encounter these extensions you will want to consider your security posture and decide if you really need to enable these particular extensions.

The minimal extensions that I found I required just to load the default page and to open in SharePoint Designer are: